Spike Toolkit: A New DDoS Threat - PowerPoint PPT Presentation


Title: Spike Toolkit: A New DDoS Threat


1
Spike DDoS Toolkit
  • A Multiplatform Botnet Threat

2
Overview
  • The Spike DDoS toolkit is a Chinese botnet
    toolkit discovered in 2014
  • Originally targeted at desktop Linux systems,
    Spike may also have payloads capable of targeting
    Windows
  • Spike has the unique ability to infect Linux ARM
    systems small devices used for mobile systems
    and appliances
  • Targeted devices include
  • PCs
  • Servers
  • Routers
  • Internet of Things (IoT devices) such as smart
    thermostats and washer/dryers
  • Customer Premises Equipment (CPE) routing devices
  • Android phones and tablets

3
Toolkit Analysis
  • Spike has a standard command-and-control panel to
    control the bots, binary payloads for infection,
    and DDoS payload builders
  • The addition of an ARM payload suggests it may be
    targeting devices such as routers and IoT
    appliances
  • Two of the payload builders target 32 and 64-bit
    Linux systems
  • The third, Typhoon Builder, generates a 32-bit
    ARM Linux executable
  • Evidence of the payloads being ported to Windows
    has surfaced
  • Author uses Mr. Black as a pseudonym
  • Can launch SYN, DNS, UDP, and GET floods

4
Toolkit Screenshot
5
Observed Attack
  • Several campaigns have been reported against
    hosts in Asia and the U.S.
  • Several Akamai customers have already been
    targeted
  • One DDoS attack peaked at 215 Gbps and 150 Mpps

6
Attack Analysis
  • Spike has four types of attacks SYN, GET, UDP
    and DNS floods
  • This assortment is fairly standard for malicious
    toolkits, and includes no new attack types
  • Spike also claims to include an ICMP flood, but
    testing has revealed it to be nonfunctional due
    to poor coding
  • The SYN, GET, UDP, and DNS floods are implemented
    simplistically, with no fundamentally new ideas
  • However, the multiplatform nature of its
    infections allows it to build potentially massive
    botnets

7
System Hardening
  • The multi-architecture malware code found in the
    kit increases its sophistication and complexity,
    requiring hardening measures for each targeted OS
    and platform
  • PLXsert anticipates further infestation and the
    expansion of this DDoS botnet
  • For more information, see the full threat
    advisory at stateoftheinternet.com, including a
    YARA rule for system hardening and a Snort rule
    for DDoS mitigation

8
Conclusion
  • There is a rising trend in Asian botnet activity
    that has targeted Linux servers primarily, but is
    now diversifying to target Windows hosts,
    routers, CPE and ARM-compatible Linux
    distributions as well
  • These botnets can thereby infect more machines
    and produce sizable attack campaigns
  • New multiplatform DDoS kits require system
    administrators to thoroughly check and harden
    previously safe devices
  • Spike does not use any new DDoS attacks what it
    brings is diversity in infection
  • Unless there is a significant community effort,
    Spike and its descendants are likely to spread
    further

9
Spike DDoS Toolkit Threat Advisory
  • The Spike DDoS Toolkit Threat Advisory includes
    DDoS mitigation details for enterprises, such as
  • Indicators of binary infection
  • Command and control panel
  • Toolkit variations
  • Bot initialization
  • DDoS payloads
  • Details of an observed attack campaign
  • DDoS mitigation techniques, including a SNORT
    rule to stop the GET flood attack
  • System hardening resources
  • YARA rule for preventing bot infection
  • Download the full report for free at
    www.stateoftheinternet.com/spike

10
About StateOfTheInternet.com
  • StateoftheInternet.com, brought to you by Akamai,
    serves as the home for content and information
    intended to provide an informed view into online
    connectivity and cybersecurity trends as well as
    related metrics, including Internet connection
    speeds, broadband adoption, mobile usage,
    outages, and cyber-attacks and threats. Visitors
    to stateoftheinternet.com can find current and
    archived versions of Akamais State of the
    Internet (Connectivity and Security) reports, the
    companys data visualizations and other resources
    designed to help put context around the
    ever-changing Internet landscape.
View by Category
About This Presentation
Title:

Spike Toolkit: A New DDoS Threat

Description:

| Most botnets target just one kind of system. The Spike DDoS toolkit – the forefront of an Asian crimeware trend – targets not only Linux and Windows system, but takes aim at a new source of bots: Embedded systems. A never-before-seen payload threatens to infect routers, CPE equipment, and even Internet of Things appliances such as smart thermostats and washer/dryers. In this short, 10- presentation, learn what you need to know to protect your network: stateoftheinternet.com/spike – PowerPoint PPT presentation

Number of Views:13
Slides: 11
Provided by: AkamaiAkamai
Category: Other

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Spike Toolkit: A New DDoS Threat


1
Spike DDoS Toolkit
  • A Multiplatform Botnet Threat

2
Overview
  • The Spike DDoS toolkit is a Chinese botnet
    toolkit discovered in 2014
  • Originally targeted at desktop Linux systems,
    Spike may also have payloads capable of targeting
    Windows
  • Spike has the unique ability to infect Linux ARM
    systems small devices used for mobile systems
    and appliances
  • Targeted devices include
  • PCs
  • Servers
  • Routers
  • Internet of Things (IoT devices) such as smart
    thermostats and washer/dryers
  • Customer Premises Equipment (CPE) routing devices
  • Android phones and tablets

3
Toolkit Analysis
  • Spike has a standard command-and-control panel to
    control the bots, binary payloads for infection,
    and DDoS payload builders
  • The addition of an ARM payload suggests it may be
    targeting devices such as routers and IoT
    appliances
  • Two of the payload builders target 32 and 64-bit
    Linux systems
  • The third, Typhoon Builder, generates a 32-bit
    ARM Linux executable
  • Evidence of the payloads being ported to Windows
    has surfaced
  • Author uses Mr. Black as a pseudonym
  • Can launch SYN, DNS, UDP, and GET floods

4
Toolkit Screenshot
5
Observed Attack
  • Several campaigns have been reported against
    hosts in Asia and the U.S.
  • Several Akamai customers have already been
    targeted
  • One DDoS attack peaked at 215 Gbps and 150 Mpps

6
Attack Analysis
  • Spike has four types of attacks SYN, GET, UDP
    and DNS floods
  • This assortment is fairly standard for malicious
    toolkits, and includes no new attack types
  • Spike also claims to include an ICMP flood, but
    testing has revealed it to be nonfunctional due
    to poor coding
  • The SYN, GET, UDP, and DNS floods are implemented
    simplistically, with no fundamentally new ideas
  • However, the multiplatform nature of its
    infections allows it to build potentially massive
    botnets

7
System Hardening
  • The multi-architecture malware code found in the
    kit increases its sophistication and complexity,
    requiring hardening measures for each targeted OS
    and platform
  • PLXsert anticipates further infestation and the
    expansion of this DDoS botnet
  • For more information, see the full threat
    advisory at stateoftheinternet.com, including a
    YARA rule for system hardening and a Snort rule
    for DDoS mitigation

8
Conclusion
  • There is a rising trend in Asian botnet activity
    that has targeted Linux servers primarily, but is
    now diversifying to target Windows hosts,
    routers, CPE and ARM-compatible Linux
    distributions as well
  • These botnets can thereby infect more machines
    and produce sizable attack campaigns
  • New multiplatform DDoS kits require system
    administrators to thoroughly check and harden
    previously safe devices
  • Spike does not use any new DDoS attacks what it
    brings is diversity in infection
  • Unless there is a significant community effort,
    Spike and its descendants are likely to spread
    further

9
Spike DDoS Toolkit Threat Advisory
  • The Spike DDoS Toolkit Threat Advisory includes
    DDoS mitigation details for enterprises, such as
  • Indicators of binary infection
  • Command and control panel
  • Toolkit variations
  • Bot initialization
  • DDoS payloads
  • Details of an observed attack campaign
  • DDoS mitigation techniques, including a SNORT
    rule to stop the GET flood attack
  • System hardening resources
  • YARA rule for preventing bot infection
  • Download the full report for free at
    www.stateoftheinternet.com/spike

10
About StateOfTheInternet.com
  • StateoftheInternet.com, brought to you by Akamai,
    serves as the home for content and information
    intended to provide an informed view into online
    connectivity and cybersecurity trends as well as
    related metrics, including Internet connection
    speeds, broadband adoption, mobile usage,
    outages, and cyber-attacks and threats. Visitors
    to stateoftheinternet.com can find current and
    archived versions of Akamais State of the
    Internet (Connectivity and Security) reports, the
    companys data visualizations and other resources
    designed to help put context around the
    ever-changing Internet landscape.
About PowerShow.com